Introduction
Energy infrastructure is quite a large sector on Earth. It has evolved from the past 200 years and is still evolving. From mechanical to electronics to sophisticated control system technologies, it has helped in improving ease of usage and efficiency. With the emergence of the latest software and equipment, energy infrastructure is highly vulnerable due to legacy applications running on plant premises.
The inside of industrial automation is different from information technology (IT) industries. There are applications which are designed for high availability and high performance for control purposes. Since all these applications were released with the operating system of that time, both started their journey together. However, as most of the systems have operating systems which upgraded themselves very fast (even yearly), the industrial software such as distributed control systems (DCS), supervisory control and data acquisition (SCADA), or human machine interfaces (HMI) didn't upgrade at a similar rate. So, this generated a huge gap, and that gap is causing system vulnerability.
Still, in many plants, we wouldn't be surprised to find Windows XP running peacefully and the applications running smoothly as well. This won't last long due to the changing cyber threat landscape.
What is Energy Infrastructure?
Energy infrastructure includes power generating stations, power distribution, and power consumption segments. On a granular level, we can segment these sectors further; power generating stations could be categorized as renewable, non-renewables, solar, thermal, wind, etc.
In these power stations or distribution stations, there exists control systems. All these control systems at some extent use software, and with software comes its bugs, its vulnerabilities, and its risks.
What Type of Software is Being Used in the Plant?
In these sectors, software used are DCS, HMI, SCADA, monitoring systems, predictive maintenance software, vibration monitoring solutions, and more. All software or software solutions are based on some sort of operating system: It could be Windows Server, Windows Workstation, Linux OS, and some proprietary software solutions as well.
Some DCS include HIMA, SPPA-T-3000, Foxboro, Metso Automation, Yokogawa, Honeywell, and ABB, to name a few. Similarly, for specific solutions, several vendors, original equipment manufacturers (OEMs), service providers, or suppliers provide multiple solutions for energy sectors. Energy management systems are quite prominent in these sectors.
Why are Systems Not Upgraded Frequently?
"Upgrade and update" is not a daily routine in these industries, because availability is the utmost priority in these industrial systems. Systems are so critical that they do not have privilege to miss a single microsecond bit, thus custodians sacrifice security with availability.
What Issues Arise When Upgrading and Updating Systems Frequently?
The main issue is fear of the loss of service for any system. To understand this issue, we need to understand what is meant by upgrade or update.
Antivirus systems installed on the servers or workstations need to be updated, or if Windows pushes new updates very often for discovered vulnerabilities or functionality improvement. So, in the case of updating, there is a possibility that it is mandatory to reboot systems. If industries have high availability or if they have multiple workstations, then they can afford or prioritize these updates and positively if it can be done as an online upgrade.
Where Do You Start from a Security Perspective? What is Mandatory?
Per my understanding of cybersecurity, the first thing to do is internal and external awareness, education, and knowledge about the threat landscape. Custodians can start with knowing the inventory of the plant, because for planning any cybersecurity solution, you must know what is in your plant.
An intensive inventory scanning and audit will show new devices, even if the plant has been operational for many years. There might be some devices that have been neglected for a long time due to less importance or less usage, and these become soft targets for cyber-attacks.
Conclusion
Securing energy infrastructure requires a balanced approach that considers both cybersecurity and operational availability. Starting with inventory management, awareness, and education is crucial for building a robust security posture.